[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1108863: [discussion] unblock: jq/1.8.0-1

On 2025-07-06 15:28:25 +0200, Salvatore Bonaccorso wrote:
> Package: release.debian.org
> Severity: normal
> X-Debbugs-Cc: jq@packages.debian.org, team@security.debian.org, ChangZhuo Chen (陳昌倬) <czchen@debian.org>, carnil@debian.org
> Control: affects -1 + src:jq
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Hi ChangZhuo Chen, hi release team
> 
> This is not actaully a proper unblock request. There is in unstable a
> new jq version which fixes CVE-2025-48060 (the other mentioned CVEs
> were already fixed earlier afaics). 
> 
> But there is now a problem. 
> 
> 1. the new upstream version fails to build on i386.
> 
> 2. the new upstream version 1.8.0 itself introduces a new security
> issue, CVE-2025-49014.
> 
> ChangZhuo Chen, what is your take here? I see possibly two ways:
> 
> Convince release team that a version based on 1.8.0 + including the
> security fix for CVE-2025-49014 and the FTBFS for i386 is fine, or
> actually revert back to 1.7.1-6, and apply the fix for CVE-2025-48060
> on top.

I think a targetted fix on top of 1.7.1 would be more appropriate. I
don't expect all of " 190 files changed, 30175 insertions(+), 24688
deletions(-)" is needed to fix CVE-2025-49104.

Cheers

> 
> Regards,
> Salvatore

-- 
Sebastian Ramacher
Reply to: